IE vs. Mozilla on the Shell HoleWhose Bug Is It?

Opinion: Mozilla exposed the scheme, opened the hole. Now it's a debate in security circles. But the only way this is a vulnerability in Windows is if it's a vulnerability for a shell to be able to run programs.

In the wake of last weeks revelation of a security hole in Mozilla that allows the execution of arbitrary programs on the client system a philosophical debate has emerged: Is this a bug in Mozilla or a bug in Windows?
I think the argument is that Windows should prevent the shell scheme from executing programs, but this isnt a job for Windows. This is a job for the browser. All Windows is doing in the case of what was just patched in Mozilla is taking an instruction to run a program and running it. If the browser didnt ask for it, it wouldnt happen.
Clearly the behavior of the browser is important here. Internet Explorer in Windows XP SP2 kills off the links completely, much as the patched Mozilla does (in fact, the patched Mozilla doesnt even underline them, making them appear as plain text).

But even IE in Windows XP SP1 behaves more reasonably. Its behavior is identical to that of a straight href of the program file. The user is asked if they want to save or open the file and are given a clear warning that the program could be hazardous.

How did Microsoft get Internet Explorer do this? It actually looks as if IE just stripped the shell: from the link and treated it like a regular href. This is an interesting thought, still the important point here is that Microsoft didnt just take a program name and tell Windows to execute it.
Ive seen some claim that the fact that SP2 is so merciless with shell: links is proof Microsoft knows there was a problem in Windows, that what was really fixed was the browser, not Windows. Remember, its the browsers behavior thats changed in SP2, disabling the links completely.

For example, I was able to make an SP2-like change in an SP1 system with a very small change to the registry. The change is quite analogous to the Mozilla fix from last week.
In the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults I created a REG_DWORD value named shell and gave it the value 0. Thereafter, Internet Explorer on the system treated the shell: links as dead. No action at all was taken when anyone clicked on them. The user could right-click and select Open or Open in a New Window, but nothing will happen. On this same system, an unpatched copy of the Mozilla browser still loads the programs when the links are clicked.
Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
So, what does this experiment prove?
If there is a Windows facility for shell links and its that which is at fault, then Internet Explorer doesnt use the same one as Mozilla. It looks as though theres less here of Windows than some think. The parsing and passing off to the Windows shell with Explorer is entirely a browser affair.
In discussions with representatives of the Mozilla Foundation, they conceded this indeed was a bug and didnt try to foist the blame on to Microsoft. And thats because they know whats usually perfectly obvious: that browsers are supposed to look suspiciously at content and try to protect the user. Theres little to be gained by a defense that its Windows fault, not when you wrote the application to tell Windows to run whatever content comes up.
The fact is that any operating system allows programs to run other programs. The real difference here between Windows and other operating systems is the permissions of the user in whose context the browser is running. If the user has administrative rights, as is the case with far too many Windows users, then the browser can do whatever it wants. If the user is restricted, then so will be the capabilities of programs they run.
For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.
For corporate Windows installations, this browser situation is an implementation issue, because its definitely possible to have users log in to Windows with restricted permissions. (One day I really must look into whether this can be done practically with a Windows XP Home system, but more importantly it just isnt done.)
None of this changes the fact that the browser basically told the operating system to run a program. This is a natural thing for a program to do, IE, Mozilla or otherwise, if its safe to do. And if its not safe the browser shouldnt do it.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.More from Larry SeltzerCheck out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

Larry Seltzer has been writing software for and English about computers ever since,much to his own amazement,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.